CVE-2026-25810
📋 TL;DR
PlaciPy placement management system version 1.0.0 has an authorization vulnerability where authenticated users can access other users' student submission data due to missing ownership checks. This affects all educational institutions using the vulnerable version. The vulnerability allows unauthorized data access but requires valid authentication.
💻 Affected Systems
- PlaciPy
📦 What is this software?
Placipy by Prasklatechnology
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could access, modify, or delete all student submission data across the entire system, potentially exposing sensitive educational records and compromising data integrity.
Likely Case
Authenticated users (students, faculty, or administrators) could view or manipulate student submission data belonging to other users, leading to privacy violations and potential academic integrity issues.
If Mitigated
With proper authorization checks, users would only be able to access their own data or data they're explicitly authorized to view, maintaining proper data segregation.
🎯 Exploit Status
Exploitation requires valid authentication but minimal technical skill once authenticated. Attackers would need to manipulate object IDs or parameters in API requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1 or later
Vendor Advisory: https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-2gqv-gxrj-p8x3
Restart Required: Yes
Instructions:
1. Update PlaciPy to version 1.0.1 or later. 2. Restart the application server. 3. Verify the fix by testing authorization controls.
🔧 Temporary Workarounds
Implement middleware authorization checks
allAdd authorization middleware to verify user ownership before processing student submission requests
Implement authorization logic in backend/src/routes/student.submission.routes.ts to check if current user owns requested resources
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to the student submission endpoints to only authorized users
- Add application-level authorization checks in a reverse proxy or API gateway to validate user ownership before requests reach the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Test if authenticated user A can access student submission data belonging to user B by manipulating object IDs in API requests to /api/student/submission endpointsCheck Version:
Check package.json or application metadata for PlaciPy versionVerify Fix Applied:
After patching, verify that authenticated users can only access their own student submission data and receive proper authorization errors when attempting to access others' data📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for student submission endpoints
- User accessing student submission IDs not associated with their account
- Unusual patterns of data access across different user accounts
Network Indicators:
- HTTP 200 responses for student submission requests with mismatched user IDs
- High volume of requests to student submission endpoints from single authenticated users
SIEM Query:
source="application.logs" AND ("student.submission" OR "/api/student/submission") AND (user_id != resource_owner_id)